On Thu, Jan 12, 2023 at 04:01:02AM +0100, Benny Pedersen wrote:
>
> my changes does nothing to datafeed users, but it
> makes big diffrenses to free usage
Makes zero difference how the rules are called, SA never sends duplicate
physical queries, they are cached and reused.
header RCVD_IN_XBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.[4567]$')
header RCVD_IN_PBL eval:check_rbl('zen-lastexternal',
'zen.spamhaus.org.', '^127\.0\.0\.1[01]$')
header RCVD_IN_ZEN_BLOCKED_OPENDNS eval:check_rbl('zen-lastexter
Riccardo Alfieri skrev den 2023-01-11 22:18:
46.183.103.8 is listed because it's an emitter of spam, it has been
PSA: everyone using public mirrors should switch to free DQS
current spamassassin rule sets uses multiple check_rbl where most of
them should be check_rbl_sub to avoid overloadin
Why not do a simple rule rather than inventing some Perl code?
header TO_SPECIFIC_EMAIL To:addr ~=
'(?:\bus...@example.com|\bus...@example.com|\bus...@example.com)'
describe TO_SPECIFIC_EMAIL Mail to a specific email address
score TO_SPECIFIC_EMAIL -2
header TO_SPECIFIC_DOMAIN To:addr '(?:'\@exa
Hello All,
I created this rule to check for email addresses matching a list to get
added some negative value.
I also tried it with just domains so it would be more efficient, but I
can't seem to get them to run.
Any suggestions?
header TO_SPECIFIC_EMAIL eval:check_to_specific_email()
describe TO_
46.183.103.8 is listed because it's an emitter of spam, it has been
heloing with "host-41.36.37.63.tedata.net" and it is hitting traps. I
could tell you exactly what botnet family these type of heloes comes
from, but I can't. Believe me, that host is infected.
So you have an emitter that is in
Riccardo Alfieri skrev den 2023-01-11 18:36:
No.
it checks if an emission is done by an IP that is listed in SBL, and
add 3 points if it is (in our DQS implementation at least). IPs listed
in SBL are deemed "bad" by default, so an emission from them, even if
it's not direct to mx, is bad enough.
No.
it checks if an emission is done by an IP that is listed in SBL, and add
3 points if it is (in our DQS implementation at least). IPs listed in
SBL are deemed "bad" by default, so an emission from them, even if it's
not direct to mx, is bad enough.
If you found an FP I encourage you to op
it should only check received last ip, not deeap all ips :/
